Support a new "secret" auth method on the phone #802
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a partial fix for issue e-mission/e-mission-docs#628 The new method assumes that all tokens are prefixed by a shared secret between the server and the client. This means that all tokens have two parts both of which are validated by the method. - The second part is used to identify the user, randomly generating it on the phone ensures that users can only see their own data. - The first shared part is configured into both the app and the server. It ensures that users can only connect to the server from authorized clients, which in this case, are smartphone apps that embed the secret. + bonus fix to generate the correct error (403 instead of 401) in case of auth errors Testing done: - configured the webserver to use the secret method - configured one valid secret `"FOOBAR"` - auth failed on the server ``` END 2021-03-16 11:33:43.257294 POST /result/metrics/timestamp 0.00736689567565918 Traceback (most recent call last): File "emission/net/api/cfc_webapp.py", line 594, in getUUID retUUID = enaa.getUUID(request, auth_method, inHeader) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 67, in getUUID retUUID = getUUIDFromToken(authMethod, userToken) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/auth.py", line 41, in getUUIDFromToken userEmail = AuthMethodFactory.getAuthMethod(authMethod).verifyUserToken(token) File "/Users/kshankar/e-mission/e-mission-server/emission/net/auth/secret.py", line 29, in verifyUserToken (token, len(self.client_secret_list))) ValueError: Invalid token REPLACEMEkVVdF9rT, not found in list of length 1 ``` - reflected on the client ``` 2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145) 2021-03-16 11:32:58.087 23394-23394/edu.berkeley.eecs.emission.devapp I/chromium: [INFO:CONSOLE(145)] "ERROR:Error loading user data"While pushing/getting from server HTTP/1.1 403 Forbidden"", source: http://localhost/_app_file_/data/user/0/edu.berkeley.eecs.emission.devapp/files/phonegapdevapp/www/index.html (145) ``` - configured the same valid secret as the phone `"REPLACEME"` e-mission/e-mission-phone@c00f63b - auth succeded on server ``` START 2021-03-16 11:36:22.818484 POST /result/metrics/timestamp END 2021-03-16 11:36:22.832453 POST /result/metrics/timestamp cf8ccb7b-84d7-40e4-a726-7691e614b042 0.013911962509155273 ``` - reflected on client ``` 2021-03-16 11:36:21.821 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, connectionSettings = {"connectUrl":"http:\/\/10.0.2.2:8080","android":{"auth":{"method":"prompted-auth","clientID":"ignored"}},"ios":{"auth":{"method":"prompted-auth","clientID":"ignored"}}} 2021-03-16 11:36:21.832 23394-23539/edu.berkeley.eecs.emission.devapp D/ConnectionSettings: in getConnectURL, returning http://10.0.2.2:8080 2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: Posting data to http://10.0.2.2:8080/result/metrics/timestamp 2021-03-16 11:36:21.836 23394-9405/edu.berkeley.eecs.emission.devapp I/System.out: About to execute query SELECT data FROM userCache WHERE key = 'prompted-auth' AND type = 'local-storage' AND write_ts >= 0.0 AND write_ts <= 1.615919781836E12 ORDER BY write_ts DESC 2021-03-16 11:36:21.848 23394-9405/edu.berkeley.eecs.emission.devapp I/PromptedAuth: Auth found in local storage, now it should be stable 2021-03-16 11:36:21.887 23394-9405/edu.berkeley.eecs.emission.devapp I/CommunicationHelper: Got response org.apache.http.message.BasicHttpResponse@c89c5d6 with status HTTP/1.1 200 OK ```
Using `0.0.0.0` used to break on iOS but doesn't seem to any more. Makes it easier for end to end testing on both android and iOS since android requires `0.0.0.0` to accept connections from the emulator.
To match the phone default sample secret shankari/e-mission-phone@c00f63b
jf87
pushed a commit
to jf87/e-mission-server
that referenced
this pull request
Jun 21, 2021
Support a new "secret" auth method on the phone
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a partial fix for issue
e-mission/e-mission-docs#628
The new method assumes that all tokens are prefixed by a shared secret between
the server and the client. This means that all tokens have two parts both of which are validated by the method.
phone ensures that users can only see their own data.
ensures that users can only connect to the server from authorized clients,
which in this case, are smartphone apps that embed the secret.
Testing done:
configured the webserver to use the secret method
configured one valid secret
"FOOBAR"configured the same valid secret as the phone
"REPLACEME"e-mission/e-mission-phone@c00f63b